CVE-2014-7810
Published: 7 June 2015
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
From the Ubuntu Security Team
It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
precise |
Released
(6.0.35-1ubuntu3.6)
|
|
trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
upstream |
Released
(6.0.41-3)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Released
(6.0.45+dfsg-1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1645366 upstream: http://svn.apache.org/viewvc?view=revision&revision=1659538 |
||
tomcat7
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.61-1)
|
bionic |
Not vulnerable
(7.0.61-1)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.3)
|
|
upstream |
Released
(7.0.61-1)
|
|
utopic |
Released
(7.0.55-1ubuntu0.2)
|
|
vivid |
Released
(7.0.56-2ubuntu0.1)
|
|
wily |
Not vulnerable
(7.0.61-1)
|
|
xenial |
Not vulnerable
(7.0.61-1)
|
|
yakkety |
Not vulnerable
(7.0.61-1)
|
|
zesty |
Not vulnerable
(7.0.61-1)
|
|
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1644019 upstream: http://svn.apache.org/viewvc?view=revision&revision=1645644 |
||
tomcat8
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.22-2)
|
bionic |
Not vulnerable
(8.0.22-2)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.21-2)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Released
(8.0.14-1+deb8u1build0.15.04.1)
|
|
wily |
Not vulnerable
(8.0.22-2)
|
|
xenial |
Not vulnerable
(8.0.22-2)
|
|
yakkety |
Not vulnerable
(8.0.22-2)
|
|
zesty |
Not vulnerable
(8.0.22-2)
|
References
- http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
- https://ubuntu.com/security/notices/USN-2655-1
- https://ubuntu.com/security/notices/USN-2654-1
- https://www.cve.org/CVERecord?id=CVE-2014-7810
- NVD
- Launchpad
- Debian